Target IP: 10.10.31.204
There are three TCP ports open on the target machine, as shown above.
Port 80: HTTP
The webpage above is displayed for this application.
Doing a directory search using the command gobuster dir -u http://10.10.31.204/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the result above. The interesting directory is the /custom.
There is a file called users.bak at /custom/js directory. The content of this file are shown above. I used crackstation to crack this hash, and obtained the password bulldog19. I now have the credential admin:bulldog19.
Port 8765: HTTP
The login page above is displayed for this port. I used the credential I obtained to gain access to this web application.
After logging in, the webpage above is shown. Reading the source-code gives three key details:
alert("Insert XML Code!") code is run. Does that mean XXE can be used?<!-- Barry, you can now SSH in using your key!-->. Can I obtain the SSH key of barry?//document.cookie = "Example=/auth/dontforget.bak";.
I downloaded the dontforget.bak file first, but I can use the format of this XML file to launch XXE attacks.
I created the payload above to match the format required by the application. After sending it, I got the /etc/passwd file! I notice there are two users: barry and joe. From previous enumeration, I should be able to obtain the SSH key of barry.
And now I have the SSH key of barry using the XXE payload shown below.
Payload used to obtain the SSH key of user barry:
I copied the SSH key by viewing the source-code of the webpage. I cracked the passphrase of the SSH key using john and obtained the passphrase urieljames, changed the permission of the SSH key to 400, and used this key to access SSH as barry. Now I have a foothold on the machine.
This is an interesting binary with SUID bit set.
Running strings on this binary shows it calls tail without absolute path. Meaning I can create a malicious version of tail.
And now I have a root shell. GG.
The user.txt flag once I gained a foothold on the machine using the SSH key.
The root.txt flag once I used the SUID bit set binary by creating malicious tail that exploits path vulnerability.